Lab-based Threat Emulations powered by CYBER RANGES

Celebrating Cyber Security Awareness Month 2023

Threat Emulation Series

Let your Cyber Defense team loose on the latest threat intelligence!

As a CISO, level up your SOC Team by investing in this unique, highly rewarding and transformational 6-part Threat Emulation series

CYBER RANGES is the Cyber-Range-of-Choice for MITRE ATT&CK Threat-informed Defense programs (19-Apr-2022)

MITRE ATT&CK Defender

What's Included In Our 6-Month, 5-User, Threat Emulation Package Offer

"The incident has occurred, time is running out, is your team ready to analyze the threat?"

Perfect for regularly testing Incident Response/SOC teams with world-class, cyber range labs, incorporating the latest threat intelligence.

6 Instructor-Led Events

Give your team (up to 5) a monthly workout over 6 months with an expert, instructor-led, *monthly event program. These unique and highly rewarding monthly events will familiarize your team with CYBER RANGES and help you learn and practice on the latest cyber threats.

*See below for full agenda

24/7 Support For Open Labs

Each month your team will gain 24/7 support via a private Discord channel made available to your team.

This 24/7 support will give you access to our internal Scenario Foundry and range masters’ here at CYBER RANGES.

Individual Accredible Badges

Each team member will achieve an Accredible Badge of Participation once the 6-month period of events and lab access have been completed.

5-User Access Offer

– 6 Instructor-led events based on key threat intelligence spread over 6 months
Contact Us

Level up your SOC team by investing in this unique and highly rewarding 6-Part Threat Emulation series

Save over $10,000 on a 5-user license to our 6-month Threat Intelligence Series

Any questions?

contact@cyberranges.com

6-Month, Instructor-led Threat Emulation Agenda

Supply Chain Attack

In a sophisticated attack, an attacker adeptly employs spear phishing to compromise a software development team member within a targeted organization…

Learn More

Ransomware Rampage

An attacker exploits an SMB server within the corporate DMZ, leading to the establishment of command-and-control communication…

Learn More

CL0P Ransomware

An attacker exploits an ActiveMQ messaging server in the corporate DMZ, gaining code execution and establishing command-and-control communication through deployed malware…
Learn More

Contact Us

An attacker exploits a web server vulnerability that exposes a configuration file, obtaining credentials to breach a company’s internal server…

Learn More

Wizard Spider

During a successful phishing campaing, a threat actor establishes C2 comms after a staff member of a targetted organization opens an Emotet maldoc…
Learn More

Atom Silo

After a network configuration change, an application endpoint is exposed to the internet. An attacker successfully exploits a vulnerability on the exposed endpoint and gains code execution…
Learn More

6-Month Threat Emulation Event Agenda In Detail

Supply Chain Attack

Supply Chain Attack 1

TBD

Instructor

Varun Gupta
Contact Us
Threat Actor - white

Threat Actor

Indrik Spider

Threat Type - white

Threat Type

Ransomware

Tools white

Attacker Tools

  • Wasted Locker
  • Cobalt Strike
Threat Rating - white

Threat Rating

High

Threat Impact - white

Threat Impact

  • Money Theft
  • Data Exfiltration
  • Service Availability
Rating - white

Difficulty

Intermediate

Analysis Tools - white

Analysis Tools

  • Arkime
  • Wazhu

Supply Chain Attack Background

In a sophisticated attack, an attacker adeptly employs spear phishing to compromise a software development team member within a targeted organization.

This initial breach enables the attacker to infect both the team member’s system and several deployed code servers. Subsequently, the attacker establishes a command-and-control connection, facilitating lateral movement through the network.

This progression culminates in the compromise of the core banking application, allowing the attacker to successfully conduct fraudulent transactions. Following the fund transfer, the attacker deploys ransomware across the network and sends extortion emails to multiple accounts, demanding payment to prevent the exposure of exfiltrated data.

Target Audience

This scenario is targetted towards individuals in SOCs looking to improve their skills in:

1. Incident Response

2. Triage

3. Attribution

MITRE ATT&CK® TTPs

• Acquire Infrastructure: Server – T1583.004

• Develop Capabilities – T1587

• Phishing mail – T1566

• User Execution – T1204

• Supply Chain Compromise – T1195

• Command and Scripting Interpreter: Windows Command Shell – T1059.003

• System Network Connections Discovery – T1049

• Steal Application Access Token – T1528

• Create Account: Domain Account – T1136.002

• Valid Accounts: Domain Accounts – T1078.002

• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001

• Input Capture: Keylogging – T1056.001

• Application Window Discovery – T1010

• Exfiltration Over C2 Channel – T1041

• Use Alternate Authentication Material: Application Access Token – T1550.001

• Data Encrypted for Impact – T1486

Ransomware Rampage

Ransomware Rampage - A

TBD

Instructor

Trevor Saudi
Contact Us
Threat Actor - white

Threat Actor

LockBit

Threat Type - white

Threat Type

Ransomware

Tools white

Attacker Tools

  • Custom Ransomware
Threat Rating - white

Threat Rating

High

Threat Impact - white

Threat Impact

  • Data Exfiltration
  • Service Availability
Rating - white

Difficulty

Intermediate

Tools white

Analysis Tools

  • Arkime
  • Wazhu
  • Various open source reverse engineering tools

Ransomware Rampage Background

An attacker exploits an SMB server within the corporate DMZ, leading to the establishment of command-and-control communication.

Operating system credentials are extracted from the compromised server, providing valid usernames and corresponding hashes.

This information enables the attacker to execute a credentials stuffing attack on the corporate LAN, permitting login to a single workstation through a standard user account.

Once within the LAN, the attacker leverages an unquoted service path vulnerability to elevate privileges to NT\Authority.

Further exploitation involves additional operating system hash extraction. With the obtained credentials, the attacker initiates a ransomware deployment on the LAN workstations.

Target Audience

This scenario is targetted towards individuals in SOCs looking to improve their skills in:

1. Incident Response

2. Triage

3. Attribution

4. Reverse Engineering

MITRE ATT&CK® TTPs

• Acquire Infrastructure: Server – T1583.004

• Active Scanning – T1595

• Brute Force – T1110

• Gather Victim Identity Information – T1589

• Command and Scripting Interpreter – T1059

• OS Credential Dumping – T1003

• System Owner User Discovery – T1033

• Remote System Discovery – T1018

• Account Discovery: Domain Account – T1087.002

• Permission Groups Discovery – T1069

• Valid Accounts: Local Accounts – T1078

• Valid Accounts: Domain Accounts – T1078.002

• Exploitation for Privilege Escalation – T1068

• Compromise infrastructure – T1586

• Archive Collected Data – T1560

• Data Encrypted for Impact – T1486

Cl0p Ransomware

cl0p Ransomware - B

TBD

Instructor

Nelly Mutai​
Contact Us
Threat Actor - white

Threat Actor

BlackMatter

Threat Type - white

Threat Type

Ransomware

Tools white

Attacker Tools

  • Cl0p
  • Ransomware
Threat Rating - white

Threat Rating

High

Threat Impact - white

Threat Impact

  • Data Exfiltration
  • Service Availability
Rating - white

Difficulty

Intermediate

Tools white

Analysis Tools

  • Arkime
  • Wazhu
  • Various open source reverse engineering tools

Supply Chain Attack Background

An attacker exploits an ActiveMQ messaging server in the corporate DMZ, gaining code execution and establishing command-and-control communication through deployed malware. Subsequent network scans lead to compromising the a CI/CD server, enabling remote code execution via groovy script manipulation.

Exfiltration of data occurs via established command links, while credential reuse facilitates network access through credential stuffing and Active Directory enumeration. With lateral movement into the Domain Controller and leveraging administrative privileges, the attacker deploys ransomware across the interconnected workstations on the network.

Target Audience

This scenario is targetted towards individuals in SOCs looking to improve their skills in:

1. Incident Response

2. Triage

3. Attribution

MITRE ATT&CK® TTPs

• Acquire Infrastructure: Server – T1583.004

• Active Scanning – T1595

• Brute Force – T1110

• Command and Scripting Interpreter – T1059

• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001

• Account Discovery: Domain Account – T1087.002

• File And Directory Discovery – T1083

• Permission Groups Discovery – T1069

• Account Manipulation – T1098

• Valid Accounts: Domain Accounts – T1078.002

• Compromise infrastructure – T1584

• System Service Discovery – T1007

• Remote Services: SMB/Windows Admin Shares – T1021.002

• Data Encrypted for Impact – T1486

• Exfiltration Over C2 Channel – T1041

Contact Us

Contact Us - B 1

TBD

Instructor

Amarjit Labhuram​
Contact Us
Threat Actor - white

Threat Actor

MuddyWater

Threat Type - white

Threat Type

Espionage

Tools white

Attacker Tools

  • Kodiak
  • Mimikatz
Threat Rating - white

Threat Rating

High

Threat Impact - white

Threat Impact

  • Data Exfiltration
Rating - white

Difficulty

Intermediate

Tools white

Analysis Tools

  • Arkime
  • Wazhu

Contact Us Background

An attacker exploits a web server vulnerability that exposes a configuration file, obtaining credentials to breach a
company’s internal server.

With access secured, the attacker deploys agents onto employee desktops, communicating sensitive data to a Command-and-Control (C2C) server.

After post exploitation activities, the resulting damage includes webpage defacement and the publication of company files containing compromising information.

The attacker then demands a ransom from the company to prevent further leaks of such documents to the public.

Target Audience

This scenario is targetted towards individuals in SOCs looking to improve their skills in:

1. Incident Response

2. Triage

3. Attribution

MITRE ATT&CK® TTPs

• Acquire Infrastructure: Server – T1583.004

• Active Scanning – T1595

• Exploit Public-Facing Application – T1190

• Command and Scripting Interpreter – T1059

• Boot or Logon Autostart Execution: Registry Run

• Keys / Startup Folder – T1547.001

• System Shutdown/Reboot – T1529

• Gather Victim Host Information – T1592

• Input Capture: Keylogging – T1056.001

• System Information Discovery – T1082

• Input Capture: Keylogging – T1056.001

• Valid Accounts: Domain Accounts – T1078.002

• Application Window Discovery – T1010

• Remote System Discovery – T1018

• Remote Services: SMB/Windows Admin Shares – T1021.002

• Exfiltration Over C2 Channel – T1041

• Archive Collected Data – T1560

Wizard Spider

Wizard Spider - B

TBD

Instructor

Trevor Saudi
Contact Us
Threat Actor - white

Threat Actor

Wizard Spider

Threat Type - white

Threat Type

Ransomware

Tools white

Attacker Tools

  • Ryuk
  • Emotet
Threat Rating - white

Threat Rating

High

Threat Impact - white

Threat Impact

  • Data Exfiltration
  • Service Availability
Rating - white

Difficulty

Intermediate

Tools white

Analysis Tools

  • Arkime
  • Wazhu
  • Various open source reverse engineering tools

Wizard Spider Background

During a successful phishing campaing, a threat actor establishes C2 comms after a staff member of a targetted
organization opens an Emotet maldoc.

Once the attacker obtained communication on the workstation they
managed to discover other assets on the network and successfully exploit vulnerabilities enumerated allowing for
them to move laterally within the network.

The attacker is able to exfiltrate sensitive medical records of patients as
well as destroy backups before rolling out of their ransomware and threatening to expose the information collected.

Target Audience

This scenario is targetted towards individuals in SOCs looking to improve their skills in:

1. Incident Response

2. Triage

3. Attribution

4. Reverse Engineering

MITRE ATT&CK® TTPs

• Acquire Infrastructure: Server – T1583.004

• Develop Capabilities – T1587

• Phishing: Spearphishing Attachment – T1566.001

• User Execution – T1204

• Defense Evasion – TA0005

• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001

• Process Discovery – T1057

• Gather Victim Host Information – T1592

• Compromise Client Software Binary – T1554

• Password Policy Discovery – T1201

• Permission Groups Discovery: Domain Groups -T1069.002

• Account Discovery: Domain Account – T1087.002

• Remote System Discovery – T1018

• Valid Accounts: Local Accounts – T1078

• Windows Management Instrumentation – T1047

• Steal or Forge Kerberos Tickets – T1558

• OS Credential Dumping – T1003

• Compromise infrastructure – T1584

• Exfiltration Over C2 Channel – T1041

• Data Encrypted for Impact- T1486

Atom Silo

Atom Slio - C 1

TBD

Instructor

Amarjit Labhuram​
Contact Us
Threat Actor - white

Threat Actor

Atom Silo

Threat Type - white

Threat Type

Ransomware

Tools white

Attacker Tools

  • Atom Silo
  • Ransomware
Threat Rating - white

Threat Rating

High

Threat Impact - white

Threat Impact

  • Data Exfiltration
Rating - white

Difficulty

Intermediate

Tools white

Analysis Tools

  • Arkime
  • Wazhu
  • Various open source reverse engineering tools

Atom Silo Background

After a network configuration change, an application endpoint is exposed to the internet.

An attacker successfully exploits a vulnerability on the exposed endpoint and gains code execution.

They are able to bring additional malware on to the target and establish C2 communication.

The attackers then proceed to perform post exploitation procedures to gain privileges and move laterally accross various infrastructure on the organizations internal networks.

Once they had achieved the escalation objective, they proceeded to deploy ransomware accross the workstations on the network.

Target Audience

This scenario is targetted towards individuals in SOCs looking to improve their skills in:

1. Incident Response

2. Triage

3. Attribution

4. Reverse Engineering

MITRE ATT&CK® TTPs

• Acquire Infrastructure: Server – T1583.004

• Active Scanning – T1595

• Exploitation of Remote Services – T1210

• Valid Accounts: Domain Accounts – T1078.002

• Deploy Container – T1610

• Command and Scripting Interpreter – T1059

• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001

• Exfiltration Over C2 Channel – T1041

• Impair Defenses: Disable or Modify Tools – T1562.001

Save over $10,000 on a 5 user license to our 6 month Threat Intelligence Series.

Contact Us

Your Instructors

Amarjit Labhuram

Amarjit Labhuram is the lead of the Threat Emulation team at CYBER RANGES specializing in Offensive Security and Red Teaming. His role involves regular training and guiding stakeholders on effective detection, response, and mitigation strategies. He has hands-on experience in Red Team and Adversary Simulation operations, where he hones his craft of offensive capability development. He's particularly drawn to the intricacies of Microsoft Windows system programming and is actively engaged in research, which includes crafting custom implants and refining Tactics Techniques and Procedures (TTPs) for Simulated Attack missions. He proudly holds certifications like CRTE, SANS SEC565 Red Team Operations and Adversary Emulation, and CRTO, showcasing his expertise in the field.
Amarjit LabhuramHead of Threat Emulation
Amarjit Labhuram Trainer CYBER RANGES

Trevor Saudi

Trevor Saudi is a Cyber Security Consultant specializing in Offensive Security and Red Teaming. He currently works with CYBER RANGES as a technical content engineer. His experience has been instrumental in creating and maintaining various realistic and highly technical cyber ranges used in adversary emulation exercises. His role involves regular training and guiding stakeholders on effective detection, response, and mitigation strategies. He has a strong background in programming and holds several prestigious certifications such as CRTO, eCPPT, LPIC-101, C|EH Master
Trevor SaudiCyber Security Consultant
Trevor Saudi Trainer CYBER RANGES

Nelly Mutai

Nelly holds a key position as a Cyber Security Consultant at CYBER RANGES, specializing in Offensive Security. In her role as a technical content engineer within the Threat Emulation team, she has been instrumental in both the creation and maintenance of various complex cyber ranges used for adversary emulation. Her responsibilities extend to regular training and guidance for stakeholders, where she emphasizes effective strategies for detection, response, and mitigation of security threats. With a strong foundation in Python and Java programming, penetration testing, network security, and security compliance, Nelly's expertise adds significant value to her field. Her qualifications are further demonstrated through her certifications in Certified Ethical Hacking and Azure, showcasing her wide-ranging capabilities.
Nelly MutaiCyber Security Consultant
Nelly Mutai Trainer CYBER RANGES

Varun Gupta

Varun Gupta is a distinguished Technical Content Engineer at CYBER RANGES, bringing a wealth of expertise and experience to the realm of cybersecurity. With a robust background in offensive security research and a proven track record of crafting realistic scenarios for corporate training and adversary emulation exercises, Varun is a trusted authority in the field. His responsibilities include training for corporate staff, where he emphasizes effective strategies for detection, response, and mitigation of security threats. Additionally, Varun Gupta has extensive experience as a penetration tester, further bolstering his deep knowledge of cybersecurity. Varun holds several industry-recognized certifications, including Certified Red Team Operator (CRTO), Practical Network Penetration Tester (PNPT), Certified Ethical Hacker Master (C|EH Master).
Varun GuptaCyber Security Consultant
Varun Gupta Trainer CYBER RANGES
Contact Us

Trusted By...

"We carried out quite an extensive search for a Cyber Range for our clients and internally. We needed something flexible to train own people and for our clients. CYBER RANGES met our internal and client needs perfectly"
D’Arcy MoynaughPartner CyberSecurity, Deloitte, Canada
D’Arcy Moynaugh
"Not only will these hands-on training resources greatly benefit cybersecurity professionals on an individual basis, they will also provide greater peace of mind for organizations as a whole"
Chriss KnisleyGeneral Manager, MITRE ATT&CK Defender (MAD)
Chriss Knisley MITRE
"Most cyber teams see few active and aggressive threats in a live environment, being able to simulate a live environment where they can rehearse, simulate, iterate and approve is essential to building muscle memory"
Jim FooteGlobal Chief Security Technologist (Micro Focus | CyberRes)
Jim Foote
CYBER RANGES Logo

Learn, train, test, measure, and improve your digital dexterity and cyber resilience on our next-gen military-grade CYBER RANGES platform and technology.

Linkedin Youtube Twitter Facebook

Contact

Speak to Sales
Book a Demo

News and Events

Bootcamps and Webinars
Podcasts and Interviews
Blog
Press and Announcements
Corporate Events

White Paper

'Understanding Cyber Ranges from Hype to Reality'

Cyber Range Environments and Technical Exercises
Get White Paper
whitepaper

Our Offices

USA: Quantico Cyber Hub, Suite 305, 1010 Corporate Drive, Stafford, VA 22554

Canada: 10th Floor, Suite 1000, Bankers Hall West, 888 3rd Street SW, Calgary, AB T2P 5C5

UK: Sheffield Technology Parks, Cooper Buildings, Arundel Gate, Sheffield, S1 2NS

Cyprus: G & N Court, 41 Pafou Street, 3051, Limassol

Kenya: Eldama Park, Tsavo Wing, Eldama Ravine Road, Westlands, Nairobi, PO Box 25388 – 00100 GPO

Site Links

Sitemap

Privacy Policy

Terms and Conditions

Ⓒ 2023 All Rights Are Reserved

Scroll to Top